Snapchat says millions of user accounts compromised

SAN FRANCISCO (Reuters) - Snapchat, the red-hot private messaging service, said on Thursday that it knew for months about a security loophole that allowed hackers this week to harvest millions of phone numbers and announced changes to its systems.

An anonymous group called Snapchat DB posted the usernames and phone numbers of 4.6 million Snapchat users on New Year's Eve, days after the startup - headed by 23-year old founder Evan Spiegel - brushed off warnings that its app still contained security loopholes.

The hacker group, which claimed to be based in the United States and Europe, made the entire database available for download but redacted the last two digits of every phone number. Snapchat DB said it was working to raise awareness about Snapchat's security holes, not out of malicious intent.

In its first public statement since the leak, Snapchat said in a blog post on Thursday that no "snaps" - the contents of messages - were compromised or accessed as part of the hack.

Snapchat was first alerted to the vulnerability in August by a security group called Gibson Security. Snapchat said it made changes to its system to address the weaknesses, but the company also published a blog post downplaying the threat as "theoretical" on December 27.

Snapchat DB carried out the hack and disclosed the phone numbers just four days later.

The hack was a rare black eye for a high-flying appmaker started by Stanford University undergraduates in 2011. Snapchat has soared in popularity over the past year because it allows its users - mostly teens - to send private pictures and messages that self-destruct after 10 seconds at most.

Snapchat's immense popularity among young users has made it one of the most closely watched social media companies in the world, and Facebook Inc reportedly offered $3 billion last year in a failed acquisition bid.

Snapchat asks new users for their phone number so that their friends can find them on the service. The phone numbers were not attached to any real names.

Calling the hackers' disclosure an "abuse" of its system, Snapchat said Thursday that it was first told by security experts in August that its "Find Friends" feature may contain a weakness.

The company did not apologize for the leaks but said it would carry out some changes to prevent further unwanted disclosures.

"We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number," the company wrote. "We're also improving rate limiting and other restrictions to address future attempts to abuse our service."

Rate limiting restricts how many times a party can query the Snapchat servers.

CHANGES 'PROMISING'

In an email to Reuters, the group claiming to be behind the New Years Eve hack called it "promising" that Snapchat was beginning to address its security vulnerabilities.

"Let's hope they aren't trying to downplay the situation once again and avoid the heat, but instead taking reasonable steps to secure sensitive user information," Snapchat DB said. "Actions speak louder than words."